New Magecart Group Hits Hundreds of Sites Via Supply Chain

Researchers have uncovered a twelvth Magecart group using tried-and-tested methods to disseminate the digital skimming code by infecting the supply chain.

RiskIQ, which has for several years been tracking the activity of groups using Magecart to steal customer card details, claimed the new group has managed to infect hundreds of websites so far via a third party.

This firm is Adverline, a French advertising agency. The attackers are said to have compromised a content delivery network for ads run by the company to include a stager containing the skimmer code.

This means that any website loading script from the ad agency's ad tag would inadvertently load the digital skimmer for visitors.

“Group 12 built out its infrastructure in September 2018; domains were registered, SSL certificates were set up through LetsEncrypt, and the skimming backend was installed. Group 12 doesn’t just inject the skimmer code by adding a script tag—the actors use a small snippet with a base64 encoded URL for the resource which is decoded at runtime and injected into the page,” explained Magecart in a blog post.

“The skimmer code for Group 12 has an interesting twist; it protects itself from deobfuscation and analysis by performing an integrity check on itself. The actual injection script comes in two stages, which both perform a self-integrity check.”

RiskIQ warned that there’s the potential for thousands more businesses to be affected, given they all run the compromised ad tag.

This is the latest in a long line of Magecart activity which can be split roughly into two camps: attacks targeting firms’ websites directly, like the ones affecting BA and Newegg, and ones targeting suppliers.

Alongside this latest campaign, Magecart groups have been behind attacks on the developer Inbenta Technologies which led to Ticketmaster customers having their card data stolen.

Just this week it emerged that high street banks in the UK have been sending out new cards to potentially affected customers, months after the incident was first reported.